System, method and computer program product for portal user data access in a multi-tenant on-demand database system

ABSTRACT

In accordance with embodiments, there are provided mechanisms and methods for portal user data access in a multi-tenant on-demand database system. These mechanisms and methods for portal user data access in a multi-tenant on-demand database system can enable embodiments to provide portal-specific user accounts to the multi-tenant on-demand database system which have reduced configuration requirements than users directly accessing the multi-tenant on-demand database system. The ability of embodiments to provide portal-specific user accounts can reduce processing requirements of the database system.

CLAIM OF PRIORITY

This application claims the benefit of U.S. Provisional PatentApplication 61/320,152 entitled “METHOD AND SYSTEM FOR GROUP MEMBERSHIPMAINTENANCE AND RECORD ACCESS FOR HIGHLY SCALABLE PORTAL USER SYSTEM,”by Wu et al., filed Apr. 1, 2010 (Attorney Docket No,SFC1P112+/306PROV), and U.S. Provisional Patent Application 61/320,188entitled “METHOD AND SYSTEM FOR AN IMPLICIT SHARING MODEL FOR HIGHLYSCALABLE PORTAL USER SYSTEM,” by Wu et al., filed Apr. 1, 2010 (AttorneyDocket No. SFC1P113+/307PROV), the entire contents of which areincorporated herein by reference.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

FIELD OF THE INVENTION

One or more implementations relate generally to user access in databaseenvironment.

BACKGROUND

The subject matter discussed in the background section should not beassumed to be prior art merely as a result of its mention in thebackground section. Similarly, a problem mentioned in the backgroundsection or associated with the subject matter of the background sectionshould not be assumed to have been previously recognized in the priorart. The subject matter in the background section merely representsdifferent approaches, which in and of themselves may also be inventions.

In conventional database system, users access data in the database viaan account of the user with the database. The account typically includeslogin information for verifying the user with the database system, andmay further include permissions for indicating data of the databasesystem that the user is allowed to access. Unfortunately,implementations of user accounts in conventional database systems havebeen limited.

For example, conventional database systems store only a single type ofuser account. Accordingly, each user account of the database system isgenerally configured according to the same types of data, and dataaccess by users having the user account is generally processed in thesame manner. This unfortunately does not allow for users of differenttypes which may require different levels of configurations, etc. Just byway of example, users which may not necessarily require the same extentof configurations, permissions, etc, may still be limited to having atype of user account that is the same for other users requiring theconfigurations, permissions, etc.

Accordingly, it is desirable to provide techniques enabling thegeneration of user accounts in a database system having reducedconfigurations, permissions, etc. to reduce processing requirements ofthe database system.

BRIEF SUMMARY

In accordance with embodiments, there are provided mechanisms andmethods for portal user data access in a multi-tenant on-demand databasesystem. These mechanisms and methods for portal user data access in amulti-tenant on-demand database system can enable embodiments to provideportal-specific user accounts to the multi-tenant on-demand databasesystem which have reduced configuration requirements than users directlyaccessing the multi-tenant on-demand database system. The ability ofembodiments to provide portal-specific user accounts can reduceprocessing requirements of the database system.

In an embodiment and by way of example, a method for portal user dataaccess in a multi-tenant on-demand database system is provided. In use,a user object associated with a user having access to a multi-tenanton-demand database system via a portal associated with the multi-tenanton-demand database system is stored. Additionally, the user object isreferenced in at least one data object of the multi-tenant on-demanddatabase system. Furthermore, access to the data object of themulti-tenant on-demand database system is provided, based on thereference.

While one or more implementations and techniques are described withreference to an embodiment in which portal user data access in amulti-tenant on-demand database system is implemented in a system havingan application server providing a front end for an on-demand databaseservice capable of supporting multiple tenants, the one or moreimplementations and techniques are not limited to multi-tenant databasesnor deployment on application servers, Embodiments may be practicedusing other database architectures, i.e., ORACLE®, DB2® by IBM and thelike without departing from the scope of the embodiments claimed.

Any of the above embodiments may be used alone or together with oneanother in any combination. The one or more implementations encompassedwithin this specification may also include embodiments that are onlypartially mentioned or alluded to or are not mentioned or alluded to atall in this brief summary or in the abstract. Although variousembodiments may have been motivated by various deficiencies with theprior art, which may be discussed or alluded to in one or more places inthe specification, the embodiments do not necessarily address any ofthese deficiencies. In other words, different embodiments may addressdifferent deficiencies that may be discussed in the specification. Someembodiments may only partially address some deficiencies or just onedeficiency that may be discussed in the specification, and someembodiments may not address any of these deficiencies.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following drawings like reference numbers are used to refer tolike elements. Although the following figures depict various examples,the one or more implementations are not limited to the examples depictedin the figures.

FIG. 1 illustrates a method for portal user data access in amulti-tenant on-demand database system, in accordance with anembodiment;

FIG. 2 illustrates a method for creating a portal user account, inaccordance with an embodiment;

FIG. 3A illustrates a method for configuring object access for portalusers, in accordance with an embodiment;

FIG. 3B illustrates a graphical user interface (GUI) for initiatingcreation of a sharing set to be used in providing object access toportal users, in accordance with FIG. 3A;

FIG. 3C illustrates a GUI for defining a name and description for asharing set to be used in providing object access to portal users, inaccordance with the method of FIG. 3A;

FIG. 3D illustrates a GUI for associating a portal user profile to thesharing set, in accordance with the method of FIG. 3A;

FIG. 3E illustrates a GUI for associating a data object to the sharingset, in accordance with the method of FIG. 3A;

FIG. 3F illustrates a GUI presenting an access mapping for data objects,in accordance with the method of FIG. 3A;

FIG. 3G illustrates a GUI for configuring an access mapping for dataobjects, in accordance with the method of FIG. 3A;

FIG. 4 illustrates a method for binding individual data records owned byportal users to a share group for the purpose of providing internalusers access to the data records, in accordance with an embodiment;

FIG. 5 illustrates a block diagram of an example of an environmentwherein an on-demand database service might be used; and

FIG. 6 illustrates a block diagram of an embodiment of elements of FIG.5 and various possible interconnections between these elements.

DETAILED DESCRIPTION General Overview

Systems and methods are provided for portal user data access in amulti-tenant on-demand database system.

As used herein, the term multi-tenant database system refers to thosesystems in which various elements of hardware and software of thedatabase system may be shared by one or more customers. For example, agiven application server may simultaneously process requests for a greatnumber of customers, and a given database table may store rows for apotentially much greater number of customers. As used herein, the termquery plan refers to a set of steps used to access information in adatabase system.

Next, mechanisms and methods for providing portal user data access in amulti-tenant on-demand database system will be described with referenceto example embodiments.

FIG. 1 illustrates a method 100 for portal user data access in amulti-tenant on-demand database system, in accordance with anembodiment. As shown in operation 102, a user object associated with auser having access to a multi-tenant on-demand database system via aportal associated with the multi-tenant on-demand database system isstored. In the context of the present description, the portal mayinclude any interface which redirects the user to the multi-tenanton-demand database system. For example, the user may indirectly accessesthe multi-tenant on-demand database system via the web interface.

In one embodiment, the portal may include a web interface which isspecific to a tenant (e.g. customer) of the multi-tenant on-demanddatabase system. For example, the multi-tenant on-demand database systemmay configure the web interface to be customized (e.g. branded) for thetenant. In this way, the user may appear to be accessing a site of thetenant when actually accessing a customized site provided for the tenantby the multi-tenant on-demand database system. In another embodiment,the user may access the multi-tenant on-demand database system via theportal, whereas the tenant may include an internal user which directlyaccesses the multi-tenant on-demand database system (e.g. via a webinterface customized for the multi-tenant on-demand database system).

As noted above, the multi-tenant on-demand database system stores a userobject associated with the user. The user object may include an objectused by the user for accessing the portal. For example, the user objectmay store login information for use in authorizing a login to the portalby the user. Of course, the user object may also store various profileinformation (e.g. demographic, historical activity, etc.) associatedwith the user, as an option.

It should be noted that similarly, the internal user noted above mayalso have an internal user object stored by the multi-tenant on-demanddatabase system. Such internal user object may be used by the internaluser for directly accessing the multi-tenant on-demand database system.For example, the internal user object may store login information foruse in authorizing a login to the multi-tenant on-demand database systemby the internal user. To this end, in order to access the multi-tenanton-demand database system either directly or indirectly (i.e. via theportal), any type of user may be required to have an associated type ofuser object stored by the multi-tenant on-demand database system. As anoption, the user object may be created upon a registration of the userwith the portal/multi-tenant on-demand database system.

Additionally, as shown in operation 104, the user object is referencedin at least one data object of the multi-tenant on-demand databasesystem. In the context of the present description, the data object mayinclude any object (e.g. record, etc.) stored by the multi-tenanton-demand database system which is at least potentially capable of beingaccessed by the user. Thus, the data object may store data that is atleast potentially accessible to the user. For example, the data objectmay be accessible to the user based on permissions for the user toaccess the data object, as described in more detail below.

As an option, the data object may be owned (e.g. and therefore managed)by a tenant of the multi-tenant on-demand database system. Just by wayof example, the tenant may have created the data object. As anotherexample, the data object may have been assigned to the tenant. Suchownership may optionally be indicated by virtue of a unique identifierof the tenant being stored in a field of the data object used forindicating an owner of the data object. It should be noted that thetenant may include the same or different tenant as the tenant associatedwith the portal via which the user accesses the multi-tenant on-demanddatabase system.

In one embodiment, the user object may be directly referenced in thedata object. Just by way of example, the user object may store a uniqueidentifier of the user object. The user object may then be referenced bythe data object by storing the unique identifier of the user object inthe data object. Optionally, the unique identifier of the user objectmay be stored in a field of the data object which is configured to storeidentifiers of user objects to indicate that users of such user objectsare allowed to access the data object.

In another embodiment, the user object may be indirectly referenced inthe data object. As an option, a unique identifier of a contact object(representing a contact) may be stored in the user object for relatingthe user object with the contact object. Further, the user object may bereferenced by the data object by storing the unique identifier of thecontact object in the data object. As yet another option, a uniqueidentifier of an account object (representing an account) may be storedin the contact object for relating the contact object with the accountobject, and the user object may be referenced by the data object bystoring the unique identifier of the account object in the data object.By using the unique identifier of an account object as described above,access to the data object may be granted to all of the portal usersassociated with that account object. However, by using the uniqueidentifier of a contact object which may be associated with a uniqueportal user, as described above, access to the data object mayoptionally only be granted to the unique portal user.

Still yet, the user object may be referenced in the data object inresponse to a manual request for an administrator of the tenant owningthe data object. As another option, the user object may be referenced inthe data object automatically in response to a determination that theuser owns the data object. In yet another embodiment, the user objectmay be referenced in the data object automatically in response to adetermination that the data object is of a public type (e.g. accesspermissions for the data object are set to public).

Furthermore, as shown in operation 106, access to the data object of themulti-tenant on-demand database system is provided, based on thereference. For example, if the data object includes the reference to theuser object, then the user may be allowed to access the data object. Asanother example, if the data object does not include the reference tothe user object, then the user may be denied access to the data object.

To this end, when a user attempts to access the data object (for examplevia a query for the data object associated with requesting a list,performing a search, running a report, viewing a record, etc.), it maybe determined whether the user is authorized to access the data object.In particular, it may be determined whether the user object isreferenced by the data object. Access to the data object, for example byreturning the data object in a query result, may optionally only begranted when the user object is referenced by the data object. It shouldbe noted that the access to the data object may include reading the dataobject, writing to the data object, deleting the data object, etc.

By conditionally providing a user access to data objects based on areference in the data object of a user object associated with the user,an amount of processing required for determining whether the user isallowed access to the data object may be minimal. For example, use ofgroup membership properties and/or relationship hierarchies fordetermining data object access may be avoided. In one embodiment,including the user object in a group and referencing the group in thedata object for use in granting/denying user access to data objects maybe avoided, such that a determination of whether the user associatedwith the user object is allowed access to the data object (whichinvolves first processing the group to identify all the user objectsallowed access to the data object and second comparing the user objectof the user requesting access with those identified user objects todetermine whether the user is allowed to access the data object) may beavoided.

To this end, a type of the user object may be different from a type ofuser object used for internal users of the multi-tenant on-demanddatabase system (i.e. which are configured using the aforementionedgroup memberships). This may allow the multi-tenant on-demand databasesystem to provide multiple different types of user objects, where thetype of user object associated with a user is dependent on the manner inwhich the user is allowed to access the multi-tenant on-demand databasesystem (i.e. directly or indirectly via the portal). For example, portalusers [hereinafter referred to as light portal users (LPUs)] may beassociated with user objects granted permission to access data objectsin the manner described above with respect to the method 100 of FIG. 1,whereas internal users may be associated with a different type of userobjects storing group membership information, etc. (and thus requiringadditional processing for determining permissions to access dataobjects).

FIG. 2 illustrates a method 200 for creating a portal user account, inaccordance with an embodiment. As an option, the present method 200 maybe carried out in the context of the functionality of FIG. 1. Forexample, the present method 200 may be carried out utilizing the portalof the multi-tenant on-demand database system described above in themethod 100 of FIG. 1. Of course, however, the method 200 may be carriedout in any desired environment. The aforementioned definitions may applyduring the present description.

As shown in decision 202, it is determined whether a request to createan LPU is received. In one embodiment, the request may be received inresponse to a user registering with the multi-tenant on-demand databasesystem via a portal. For example, the user may appear to be registeringwith a service provided by a tenant of the multi-tenant on-demanddatabase system for which the portal is customized by the multi-tenanton-demand database system.

In another embodiment, the request may be received in response to thetenant registering the user with the multi-tenant on-demand databasesystem on behalf of the user. For example, the user may be an existingcustomer of the tenant, such that the tenant may register the user withthe multi-tenant on-demand database system for use in providing the userwith access to data objects of the tenant stored by the multi-tenanton-demand database system. To this end, the request may be directlyreceived by the multi-tenant on-demand database system (e.g. from thetenant) or indirectly received by the multi-tenant on-demand databasesystem (e.g. from the user via the portal).

If it is determined that a request to create an LPU is not received, themethod 200 continues to wait until such a request is received. Once itis determined that a request to create an LPU is received, an LPU objecthaving a unique LPU identifier is created. Note operation 204. The LPUobject may include a predetermined type of object that is configured forregistering portal users with the multi-tenant on-demand databasesystem. As noted above, the LPU object has a unique LPU identifier, suchas a key for uniquely identifying the LPU object created for the LPU.The LPU object may also include fields for storing login information forthe LPU, profile information associated with the LPU, etc.

In one embodiment, the LPU object may be configured based on informationprovided by the LPU/tenant. In another embodiment, the LPU object may beconfigured automatically using a default profile.

It is then determined in decision 206 whether the LPU is to be assignedto a contact. The contact may be represented by an existing contactobject stored by the multi-tenant on-demand database system or a newcontact object not yet stored by the multi-tenant on-demand databasesystem. Thus, the LPU may be assigned to the contact by assigning theLPU object to the contact object (after creation of the contact objectif necessary).

The contact object may optionally store information associated with theLPU which is additional to the information included in the LPU object.Accordingly, the contact object may be a different type of object thanthe LPU object, and may include different fields than the fields of theLPU object for storing different types of information than the LPUobject. Just by way of example, the contact object may store contactinformation associated with the LPU, such as an email address, atelephone number, an address, etc. In this way, the LPU object may havea one-to-one relationship with the contact object.

It should be noted that the determination of whether to create thecontact object may optionally be based on the registration performed bythe LPU or tenant. For example, if the LPU or tenant enters the contactinformation for the LPU during the registration, then the contact objectmay be created and the LPU assigned to the associated contact. Ofcourse, as another option, the contact object may be automaticallycreated based on a rule specified by the tenant associated with theportal via which the LPU is to access to the multi-tenant on-demanddatabase system.

If it is determined that the LPU is to be assigned to a contact, then acontact identifier is stored in the LPU object. Note operation 208. Thecontact identifier may include a unique identifier of the contact objectassociated with the LPU. If, however, it is determined that the LPU isnot to be assigned to a contact, or once the LPU is assigned to thecontact, it is further determined in decision 210 whether the LPU is tobe assigned to an account.

In the present embodiment, the account may be represented by an existingaccount object stored by the multi-tenant on-demand database system or anew account object not yet stored by the multi-tenant on-demand databasesystem. Thus, the LPU may be assigned to the account by assigning theLPU object to the account object (after creation of the account objectif necessary).

The account object may optionally store information associated with anaccount (e.g. portal account) under which the LPU is registering withthe multi-tenant on-demand database system. For example, the account mayinclude an account with the tenant of the multi-tenant on-demanddatabase system, and specifically with the portal of the tenant.Accordingly, the account object may store information associated withthe LPU which is additional to the information stored by the LPU objectand the contact object.

For example, the account object may be a different type of object thanthe LPU object and the contact object, and may include different fieldsthan the fields of the LPU object and contact object for storingdifferent types of information than the LPU object and contact object.Just by way of example, the account object may store account informationassociated with the portal. Since the account may be associated withmultiple LPUs, the account object may optionally have a one-to-manyrelationship with LPU objects.

It should be noted that the determination of whether to create theaccount object may optionally be based on the registration performed bythe LPU or tenant. For example, if the LPU or tenant enters the accountinformation for the LPU during the registration, then the account objectmay be created and the LPU assigned to the associated account. Ofcourse, as another option, the account object may be automaticallycreated based on a rule specified by the tenant associated with theportal via which the LPU is to access to the multi-tenant on-demanddatabase system.

If it is determined that the LPU is to be assigned to an account, thenan account identifier is stored in the LPU object. Note operation 212.The account identifier may include a unique identifier of the accountobject associated with the LPU. If however, it is determined that theLPU is not to be assigned to an account, or once the LPU is assigned tothe account, the method 200 terminates. In this way, an LPU object maybe created for an LPU and optionally assigned to a contact object and/oraccount object, during registration of the LPU with the multi-tenanton-demand database system.

In an alternative embodiment (not shown), the association of an LPU withone or more objects, such as an account or a contact, could be mandatoryfor providing access. Thus, for example, the LPU may be required to beassigned to a contact and an account, in an embodiment. For example, theLPU may be directly associated with the contact, and also automaticallyassociated with the parent account of the contact. In yet anotherembodiment, another type of object present in the system—other thanaccount or contact—could be used by the designers of the system to makeassociations between LPUs and data objects for the purpose ofconfiguring data access. In yet another embodiment, administrators ofthe system could themselves create and designate new objects in thesystem to be used to configure data access to LPUs.

Table 1 illustrates various examples of LPUs which could be registeredusing the LPU object. Of course, it should be noted that the examplesshown in Table 1 are set forth for illustrative purposes only, and thusshould not be construed as limiting in any manner.

TABLE 1 1) users registered with an application store of themulti-tenant on-demand database system; 2) users registered with aservice of a tenant of the multi-tenant on-demand database system, e.g.for accessing the multi-tenant on-demand database system for    a)viewing public objects, such as frequently asked questions,   self-support diagnostics, user manuals, etc.    b) submitting an openissue (e.g. case or ticket) associated with    the service 3) usersregistered for reading, creating, commenting, voting, etc. on dataobjects (e.g. ideas, discussion topics, etc.) stored by the multi-tenanton-demand database system, etc. 4) users registered for viewing employeeinformation, such as paid time off available, benefits, etc.

Table 2 illustrates the various internal users who may create and/orutilize the LPU object for various purposes. It should be noted that theportal administrator referenced in Table 2 may include a tenantadministrator managing the portal of the tenant. Again, the examplesshown in Table 2 are set forth for illustrative purposes only, and thusshould not be construed as limiting in any manner.

TABLE 2 “As a . . . ” “ . . . I want to . . . ” [required Number [usertype] functionality] “ . . . so that I can [use case]” 1 Portal createusers with the LPU type and create a portal in which my Administratorprofile for my portal organization can manage relationships with a verylarge number of existing and/or potential customers 2 Portal provideaccess for LPUs to records allow LPUs to participate in internalAdministrator owned by internal users processes such as ecommerce andcustomer service, and in community activities such as voting andcommenting on Ideas and discussions 3 Portal provide access for internalusers to establish roles and processes by Administrator records owned byLPUs which internal users can manage the activities of LPUs in sales andsupport business processes, and can act as moderators and experts incommunity discussions and activities 4 Portal assign LPUs to specialportal provide access for those LPUs to the Administrator groups thatare mapped to appropriate Knowledge Base Knowledge Base permissions toArticles Data Dimensions 5 Portal manage LPUs through an admin maintainappropriate access to Administrator UI portals when users becomeinactive, need to be reactivated, and/or need to be deleted 6 Portalcreate new LPUs and associate automate the creation of new portalDeveloper them with portals through the users in a scalable way throughthe Metadata API portal registration process 7 Portal assign LPUs tospecial portal automate provision of access for Developer groups mappedto Knowledge LPUs to the appropriate Knowledge Base permissions to DataBase Articles in a scalable way Dimensions through the Metadata throughthe portal registration API process

FIG. 3A illustrates a method 300 for configuring object access forportal users, in accordance with an embodiment. As an option, method 300may be carried out in the context of the functionality of FIGS. 1-2. Forexample, the method 300 may be provided to a tenant by the multi-tenanton-demand database system. Of course, however, the method 300 may becarried out in any desired environment. Yet again, the aforementioneddefinitions may apply during the present description.

As shown in operation 302, a new sharing set is created. The sharing setmay include any object capable of being utilized for providing objectaccess to portal users. In one embodiment, the sharing set may becreated in response to a user selection to create the new sharing set,as shown in FIG. 3B. Specifically, FIG. 3B illustrates a GUI forinitiating creation of a sharing set to be used in providing objectaccess to portal users.

In addition, a name and description are defined for the sharing setcreated in operation 302. Note operation 304. The name may include aunique identifier for the sharing set which may be used to subsequentlyaccess the sharing set (e.g. via the GUI shown in FIG. 3B), such as formodifying the sharing set. The description may include text describingthe sharing set. The sharing set name and description may be configuredby a user, for example, using the GUI shown in FIG. 3C.

Further, a user profile is associated to the sharing set, as shown inoperation 306. In the present embodiment, the user profile may include aprofile encompassing all portal users (or at least a subset of allportal users). For example, the user profile may be a group of whichportal users are members. FIG. 3D illustrates an exemplary GUI forassociating a portal user profile to the sharing set, namely via userselection of the portal user profile.

It is then determined in decision 308 whether another user profile is tobe associated to the sharing set. Accordingly, multiple user profilesmay optionally be associated with the sharing set. If it is determinedthat another user profile is to be associated to the sharing set, themethod 300 returns to operation 306.

However, if it is determined that another user profile is not to beassociated to the sharing set, a data object is associated to thesharing set. Note operation 310. The data object may include any dataobject to which access to the portal users of the associated portal userprofile is to be granted. FIG. 3E illustrates a GUI for associating adata object to the sharing set, for example, by allowing user selectionof the data object.

It is then determined in decision 312 whether another data object is tobe associated to the sharing set. Thus, multiple data objects mayoptionally be associated to the sharing set, for allowing the portalusers of the associated portal user profile access to such data objects.If it is determined that another data object is to be associated to thesharing set, the method 300 returns to operation 310.

In response to a determination that another data object is not to beassociated to the sharing set, an access mapping for each data objectassociated to the sharing set is configured. Note operation 314. Theaccess mapping may indicate a manner in which access to each data objectassociated to the sharing set is determined. For example, access to aparticular data object may be granted for portal users of the associatedportal user profile being associated with a particular account or aparticular contact.

FIG. 3F illustrates a GUI presenting an access mapping for data objects.The access mapping is presented by showing for each data objectassociated to the sharing set, a manner in which access to that dataobject is determined (e.g. via a particular account or a particularcontact), and a type of access (access level) granted to that dataobject. FIG. 3G illustrates a GUI for configuring an access mapping fordata objects. As shown in FIG. 3G, a user may select whether access to adata object associated to the sharing set is be granted to portal usersof the portal user profile associated to the data set that areassociated with (i.e. assigned to) a particular account or a particularcontact. As also shown in FIG. 3G, for the selected option to grantaccess based on account/contact, the user may further select for whichparticular account/contact associated portal users of the associatedportal user profile are to be granted access to the data object. Asfurther shown in FIG. 3G, a level of access to be granted to theaforementioned portal users may be configured, where such level mayinclude read-only, read/write, etc.

To this end, a centralized user interface (e.g. with multiple GUIs) maybe provided with the features described in Table 3, for managing LPUsthat are members of a portal. It should be noted that the features shownin Table 3 are set forth for illustrative purposes only, and thus shouldnot be construed as limiting in any manner.

TABLE 3 a new page for each portal may allow the portal admin to searchthrough the existing users of the portal, identify a subset of users tomanage, and take actions on their membership status due to the largenumber of LPUs possibly expected, the minimal requirement for thismembership management page may be a list view with full paging andfiltering capabilities - the preferred user interface may be task andsearch based instead of list based and avoid requiring the Portal adminto page through extremely long lists of users however the PortalAdministrator may arrive at the list of users they wish to manage, theUI may also include controls for selecting one or more users and takingaction on their membership status, including declaring users inactive,reactivating them if they are already inactive the ability to createLPUs manually from the UI may be controlled by a new profile permissionPortal Administrators may have the ability to select a “New Light PortalUser” button on the list of Portal users When creating the new user, thePortal Administrator may be restricted to creating users of the LightPortal User type - that is, they may not see any choices for profilesthat are not associated with the LPU object type the PortalAdministrator may be able to optionally associate the new LPU with aPortal Account and/or a Contact, in preparation for the visibility modelto be configured to LPUs for different objects the Portal Administratormay be able to inactivate an LPU, and reactive an LPU that is inactive

FIG. 4 illustrates a method 400 for binding individual data recordsowned by portal users to a share group for the purpose of providinginternal users access to the data records, in accordance with anembodiment. As an option, the present method 400 may be carried out inthe context of the functionality of FIGS. 1-3G. For example, the method400 may be carried out by the multi-tenant on-demand database system. Ofcourse, however, the method 400 may be carried out in any desiredenvironment. The aforementioned definitions may apply during the presentdescription.

As shown in decision 402, it is determined whether internal user accessis to be granted to an LPU owned object. In the present embodiment, anLPU owned object includes a data object to which an LPU is designated asan owner. As an option, the determination may be made by a tenant of amulti-tenant on-demand database system. For example, the determinationmay be made by an administrator of the tenant, such that theadministrator may determine if any internal users of the tenant (or allinternal users of the tenant, and thus the tenant itself) are to begranted access to the LPU owned object.

In one embodiment, the determination may be based on a tenantadministrator requesting to set permissions for an internal user to haveaccess to the LPU owned object. For example, the GUI 340 of FIG. 3E maybe used by the tenant administrator to request that the internal userhave access to an LPU owned object, as described above.

If it is determined that internal user access is not to be granted to anLPU owned object, the method 400 continues to wait for an indicationthat internal user access is not to be granted to an LPU owned object.Once it is determined that internal user access is to be granted to anLPU owned object, a portal associated with the LPU is determined. Noteoperation 404. In the present embodiment, the portal includes a portalprovided by the multi-tenant on-demand database system via which the LPUowning the object accessing the multi-tenant on-demand database system.In one embodiment, the portal may be identified in response to aselection via a GUI of the portal by the tenant administrator (e.g. theGUI 310 of FIG. 3B listing the portals).

A system group associated with the portal is then identified, as shownin operation 406. For example, each portal of a tenant may be associatedwith a single system group (e.g. via assignment of the system group tothe portal). Thus, the system group may be associated with the tenantproviding the portal. The system group may optionally be represented bya system group object stored by the multi-tenant on-demand databasesystem. The system group may optionally be automatically identifiedusing a reference between an identifier of the portal and an identifierof the system group.

Furthermore, as shown in operation 408, a system group identifier isstored in the LPU owned object. The system group identifier may includea unique identifier of the system group object, for example. By storingthe system group identifier in the owned object, all members of thesystem group (e.g. as configured via the GUI 340 of FIG. 3E) may begranted access to the LPU owned object. For example, in conjunction withthe identification of the system group/portal (operations 404-406), theLPU owned object may also be identified, such that the system group maybe assigned to the LPU owned object for specifically granting themembers of the system group access to the LPU owned object. In analternative embodiment, the system group identifier may not necessarilybe stored directly in the LPU owned object, but instead may be stored ina separate table referenced by the LPU owned object.

For increased granularity in granting access to only specific members ofthe system group, a user interface for internal users to the LPU ownedrecord may be built by the tenant associated with the portal. The userinterface may allow filtering of which internal users or groups ofinternal users are allowed access to the LPU object by referring to dataon the LPU owned object itself.

As noted above, internal users may be granted access to LPU ownedobjects through a system group associated with a portal. If the internalusers are members of an access group of a portal, they will have fullaccess to all the data owned by the LPUs belonging to that portal. Thismay be implemented by writing share rows to a corresponding share table,and at run time doing a join between the share table and groupmembership table.

In such a system, objects may be related to each other in parent-childrelationships. For example, one object (the “parent” object) may beassociated with 1-n objects of another object type (the “child”objects). When an internal user has access to a child record, theinternal user may also gain implicit read access to the parent record.For example, if an internal user has access to a child case, he also hasat least read access to the parent account of the case, which may beimplemented by writing a share row with full access in a case sharetable, and writing a share row with read access in an account sharetable.

An object—such as an account—may be the parent object of other objectsthat don't have their own sharing model, such as a contract or contact.In this case, the same access rules and settings that apply to theparent object also determine whether a particular user will have accessto any of its child objects. Furthermore, when such a child object isowned by an LPU, and made available to internal users of the systemthrough the system group associated with the portal, a share record maybe written in the associated share table of the parent object. Thisshare record may designate that all members of the system groupassociated with the portal will have “full” access to all child objectsof the parent object which are owned by LPU users associated with thatportal. Full access would allow these internal users to perform anyoperation on these objects, including reading, editing, deleting andchanging the owner of each object. In such a case the system wouldprovide only read access to other child objects of the same parentobject, which are not owned by LPUs. This allows administrators of thesystem to limit the amount of data to which internal users have fullaccess.

In another potential embodiment, the level of access provided to themembers of the portal system group could be restricted to a lesser levelof permission, such as Read or Edit. In yet another embodiment, thelevel of access provided by the portal system group could beconfigurable by an administrative user. In yet another embodiment, thelevel of access could be configurable by the administrator for each typeof object that is shared to internal users through the portal systemgroup.

System Overview

FIG. 5 illustrates a block diagram of an environment 510 wherein anon-demand database service might be used. Environment 510 may includeuser systems 512, network 514, system 516, processor system 517,application platform 518, network interface 520, tenant data storage522, system data storage 524, program code 526, and process space 528.In other embodiments, environment 510 may not have all of the componentslisted and/or may have other elements instead of, or in addition to,those listed above.

Environment 510 is an environment in which an on-demand database serviceexists. User system 512 may be any machine or system that is used by auser to access a database user system. For example, any of user systems512 can be a handheld computing device, a mobile phone, a laptopcomputer, a work station, and/or a network of computing devices. Asillustrated in FIG. 5 (and in more detail in FIG. 6) user systems 512might interact via a network 514 with an on-demand database service,which is system 516.

An on-demand database service, such as system 516, is a database systemthat is made available to outside users that do not need to necessarilybe concerned with building and/or maintaining the database system, butinstead may be available for their use when the users need the databasesystem (e.g., on the demand of the users). Some on-demand databaseservices may store information from one or more tenants stored intotables of a common database image to form a multi-tenant database system(MTS). Accordingly, “on-demand database service 516” and “system 516”will be used interchangeably herein. A database image may include one ormore database objects. A relational database management system (RDMS) orthe equivalent may execute storage and retrieval of information againstthe database object(s). Application platform 518 may be a framework thatallows the applications of system 516 to run, such as the hardwareand/or software, e.g., the operating system. In an embodiment, on-demanddatabase service 516 may include an application platform 518 thatenables creation, managing and executing one or more applicationsdeveloped by the provider of the on-demand database service, usersaccessing the on-demand database service via user systems 512, or thirdparty application developers accessing the on-demand database servicevia user systems 512.

The users of user systems 512 may differ in their respective capacities,and the capacity of a particular user system 512 might be entirelydetermined by permissions (permission levels) for the current user. Forexample, where a salesperson is using a particular user system 512 tointeract with system 516, that user system has the capacities allottedto that salesperson. However, while an administrator is using that usersystem to interact with system 516, that user system has the capacitiesallotted to that administrator. In systems with a hierarchical rolemodel, users at one permission level may have access to applications,data, and database information accessible by a lower permission leveluser, hut may not have access to certain applications, databaseinformation, and data accessible by a user at a higher permission level.Thus, different users will have different capabilities with regard toaccessing and modifying application and database information, dependingon a user's security or permission level.

Network 514 is any network or combination of networks of devices thatcommunicate with one another. For example, network 514 can be any one orany combination of a LAN (local area network), WAN (wide area network),telephone network, wireless network, point-to-point network, starnetwork, token ring network, hub network, or other appropriateconfiguration. As the most common type of computer network in currentuse is a TCP/IP (Transfer Control Protocol and Internet Protocol)network, such as the global internetwork of networks often referred toas the “Internet” with a capital “I,” that network will be used in manyof the examples herein. However, it should be understood that thenetworks that the one or more implementations might use are not solimited, although TCP/IP is a frequently implemented protocol.

User systems 512 might communicate with system 516 using TCP/IP and, ata higher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AES, WAP, etc. In an example where HTTPis used, user system 512 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP messages to and from anHTTP server at system 516. Such an HTTP server might be implemented asthe sole network interface between system 516 and network 514, but othertechniques might be used as well or instead. In some implementations,the interface between system 516 and network 514 includes load sharingfunctionality, such as round-robin HTTP request distributors to balanceloads and distribute incoming HTTP requests evenly over a plurality ofservers. At least as for the users that are accessing that server, eachof the plurality of servers has access to the MTS′ data; however, otheralternative configurations may be used instead.

In one embodiment, system 516, shown in FIG. 5, implements a web-basedcustomer relationship management (CRM) system. For example, in oneembodiment, system 516 includes application servers configured toimplement and execute CRM software applications as well as providerelated data, code, forms, webpages and other information to and fromuser systems 512 and to store to, and retrieve from, a database systemrelated data, objects, and Webpage content. With a multi-tenant system,data for multiple tenants may be stored in the same physical databaseobject, however, tenant data typically is arranged so that data of onetenant is kept logically separate from that of other tenants so that onetenant does not have access to another tenant's data, unless such datais expressly shared. In certain embodiments, system 516 implementsapplications other than, or in addition to, a CRM application. Forexample, system 516 may provide tenant access to multiple hosted(standard and custom) applications, including a CRM application. User(or third party developer) applications, which may or may not includeCRM, may be supported by the application platform 518, which managescreation, storage of the applications into one or more database objectsand executing of the applications in a virtual machine in the processspace of the system 516.

One arrangement for elements of system 516 is shown in FIG. 5, includinga network interface 520, application platform 518, tenant data storage522 for tenant data 523, system data storage 524 for system data 525accessible to system 516 and possibly multiple tenants, program code 526for implementing various functions of system 516, and a process space528 for executing MTS system processes and tenant-specific processes,such as running applications as part of an application hosting service.Additional processes that may execute on system 516 include databaseindexing processes.

Several elements in the system shown in FIG. 5 include conventional,well-known elements that are explained only briefly here. For example,each user system 512 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any wireless access protocol(WAP) enabled device or any other computing device capable ofinterfacing directly or indirectly to the Internet or other networkconnection. User system 512 typically runs an HTTP client, e.g., abrowsing program, such as Microsoft's Internet Explorer browser,Netscape's Navigator browser, Opera's browser, or a WAP-enabled browserin the case of a cell phone, PDA or other wireless device, or the like,allowing a user (e.g., subscriber of the multi-tenant database system)of user system 512 to access, process and view information, pages andapplications available to it from system 516 over network 514. Each usersystem 512 also typically includes one or more user interface devices,such as a keyboard, a mouse, trackball, touch pad, touch screen, pen orthe like, for interacting with a graphical user interface (GUI) providedby the browser on a display (e.g., a monitor screen, LCD display, etc.)conjunction with pages, forms, applications and other informationprovided by system 516 or other systems or servers. For example, theuser interface device can be used to access data and applications hostedby system 516, and to perform searches on stored data, and otherwiseallow a user to interact with various GUI pages that may be presented toa user. As discussed above, embodiments are suitable for use with theInternet, which refers to a specific global internetwork of networks.However, it should be understood that other networks can be used insteadof the Internet, such as an intranet, an extranet, a virtual privatenetwork (VPN), a non-TCP/IP based network, any LAN or WAN or the like.

According to one embodiment, each user system 512 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium® processor or the like. Similarly, system 516(and additional instances of an MTS, where more than one is present) andall of their components might be operator configurable usingapplication(s) including computer code to run using a central processingunit such as processor system 517, which may include an Intel Pentium®processor or the like, and/or multiple processor units. A computerprogram product embodiment includes a machine-readable storage medium(media) having instructions stored thereon/in which can be used toprogram a computer to perform any of the processes of the embodimentsdescribed herein. Computer code for operating and configuring system 516to intercommunicate and to process webpages, applications and other dataand media content as described herein are preferably downloaded andstored on a hard disk, but the entire program code, or portions thereof,may also be stored in any other volatile or non-volatile memory mediumor device as is well known, such as a ROM or RAM, or provided on anymedia capable of storing program code, such as any type of rotatingmedia including floppy disks, optical discs, digital versatile disk(DVD), compact disk (CD), microdrive, and magneto-optical disks, andmagnetic or optical cards, nanosystems (including molecular memory ICs),or any type of media or device suitable for storing instructions and/ordata. Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source over a transmissionmedium, e.g., over the Internet, or from another server, as is wellknown, or transmitted over any other conventional network connection asis well known (e.g., extranet, VPN. LAN, etc.) using any communicationmedium and protocols (e.g., TCP/IP, HTTP, HTTPS, Ethernet, etc.) as arewell known. It will also be appreciated that computer code forimplementing embodiments can be implemented in any programming languagethat can be executed on a client system and/or server or server systemsuch as, for example, C, C++, HTML, any other markup language, Java™,JavaScript, ActiveX, any other scripting language, such as VBScript, andmany other programming languages as are well known may be used. (Java™is a trademark of Sun Microsystems, Inc.).

According to one embodiment, each system 516 is configured to providewebpages, forms, applications, data and media content to user (client)systems 512 to support the access by user systems 512 as tenants ofsystem 516. As such, system 516 provides security mechanisms to keepeach tenant's data separate unless the data is shared. If more than oneMTS is used, they may be located in close proximity to one another(e.g., in a server farm located in a single building or campus), or theymay be distributed at locations remote from one another (e.g., one ormore servers located in city A and one or more servers located in cityB). As used herein, each MTS could include one or more logically and/orphysically connected servers distributed locally or across one or moregeographic locations. Additionally, the term “server” is meant toinclude a computer system, including processing hardware and processspace(s), and an associated storage system and database application(e.g., OODBMS or RDBMS) as is well known in the art. It should also beunderstood that “server system” and “server” are often usedinterchangeably herein. Similarly, the database object described hereincan be implemented as single databases, a distributed database, acollection of distributed databases, a database with redundant online oroffline backups or other redundancies, etc., and might include adistributed database or storage network and associated processingintelligence.

FIG. 6 also illustrates environment 510. However, in FIG. 6 elements ofsystem 516 and various interconnections in an embodiment are furtherillustrated. FIG. 6 shows that user system 512 may include processorsystem 512A, memory system 512B, input system 512C, and output system512D. FIG. 6 shows network 514 and system 516. FIG. 6 also shows thatsystem 516 may include tenant data storage 522, tenant data 523, systemdata storage 524, system data 525, User Interface (UI) 630, ApplicationProgram Interface (API) 632, PL/SOQL 634, save routines 636, applicationsetup mechanism 638, applications servers 600 ₁-600 _(N), system processspace 602, tenant process spaces 604, tenant management process space610, tenant storage area 612, user storage 614, and application metadata616. In other embodiments, environment 510 may not have the sameelements as those listed above and/or may have other elements insteadof, or in addition to, those listed above.

User system 512, network 514, system 516, tenant data storage 522, andsystem data storage 524 were discussed above in FIG. 5. Regarding usersystem 512, processor system 512A may be any combination of one or moreprocessors. Memory system 512B may be any combination of one or morememory devices, short term, and/or long term memory. Input system 512Cmay be any combination of input devices, such as one or more keyboards,mice, trackballs, scanners, cameras, and/or interfaces to networks.Output system 512D may be any combination of output devices, such as oneor more monitors, printers, and/or interfaces to networks. As shown byFIG. 6, system 516 may include a network interface 520 (of FIG. 5)implemented as a set of HTTP application servers 600, an applicationplatform 518, tenant data storage 522, and system data storage 524. Alsoshown is system process space 602, including individual tenant processspaces 604 and a tenant management process space 610. Each applicationserver 600 may be configured to tenant data storage 522 and the tenantdata 523 therein, and system data storage 524 and the system data 525therein to serve requests of user systems 512. The tenant data 523 mightbe divided into individual tenant storage areas 612, which can be eithera physical arrangement and/or a logical arrangement of data. Within eachtenant storage area 612, user storage 614 and application metadata 616might be similarly allocated for each user. For example, a copy of auser's most recently used (MRU) items might be stored to user storage614. Similarly, a copy of MRU items for an entire organization that is atenant might be stored to tenant storage area 612. A UI 630 provides auser interface and an API 632 provides an application programmerinterface to system 516 resident processes to users and/or developers atuser systems 512. The tenant data and the system data may be stored invarious databases, such as one or more Oracle™ databases.

Application platform 518 includes an application setup mechanism 638that supports application developers' creation and management ofapplications, which may be saved as metadata into tenant data storage522 by save routines 636 for execution by subscribers as one or moretenant process spaces 604 managed by tenant management process 610 forexample. Invocations to such applications may be coded using PL/SOQL 634that provides a programming language style interface extension to API632. A detailed description of some PL/SOQL language embodiments isdiscussed in commonly owned co-pending U.S. Provisional PatentApplication 60/828,192 entitled, PROGRAMMING LANGUAGE METHOD AND SYSTEMFOR EXTENDING APIS TO EXECUTE IN CONJUNCTION WITH DATABASE APIS, byCraig Weissman, filed Oct. 4, 2006, which is incorporated in itsentirety herein for all purposes. Invocations to applications may bedetected by one or more system processes, which manages retrievingapplication metadata 616 for the subscriber making the invocation andexecuting the metadata as an application in a virtual machine.

Each application server 600 may be communicably coupled to databasesystems, e.g., having access to system data 525 and tenant data 523, viaa different network connection. For example, one application server 600₁ might be coupled via the network 514 (e.g., the Internet), anotherapplication server 600 _(N-1) might be coupled via a direct networklink, and another application server 600 _(N) might be coupled by yet adifferent network connection. Transfer Control Protocol and InternetProtocol (TCP/IP) are typical protocols for communicating betweenapplication servers 600 and the database system. However, it will beapparent to one skilled in the art that other transport protocols may beused to optimize the system depending on the network interconnect used.

In certain embodiments, each application server 600 is configured tohandle requests for any user associated with any organization that is atenant. Because it is desirable to be able to add and remove applicationservers from the server pool at any time for any reason, there ispreferably no server affinity for a user and/or organization to aspecific application server 600. In one embodiment, therefore, aninterface system implementing a load balancing function (e.g., an F5Big-IP load balancer) is communicably coupled between the applicationservers 600 and the user systems 512 to distribute requests to theapplication servers 600. In one embodiment, the load balancer uses aleast connections algorithm to route user requests to the applicationservers 600. Other examples of load balancing algorithms, such as roundrobin and observed response time, also can be used. For example, incertain embodiments, three consecutive requests from the same user couldhit three different application servers 600, and three requests fromdifferent users could hit the same application server 600. In thismanner, system 516 is multi-tenant, wherein system 516 handles storageof, and access to, different objects, data and applications acrossdisparate users and organizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses system 516 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenant datastorage 522). In an example of a MTS arrangement, since all of the dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by system 516 that are allocatedat the tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications, and application use separate. Also, because manytenants may opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time, and backup are additional functions thatmay be implemented in the MTS. In addition to user-specific data andtenant specific data, system 516 might also maintain system level datausable by multiple tenants or other data. Such system level data mightinclude industry reports, news, postings, and the like that are sharableamong tenants.

In certain embodiments, user systems 512 (which may be client systems)communicate with application servers 600 to request and updatesystem-level and tenant-level data from system 516 that may requiresending one or more queries to tenant data storage 522 and/or systemdata storage 524. System 516 (e.g., an application server 600 in system516) automatically generates one or more SQL statements (e.g., one ormore SQL queries) that are designed to access the desired information.System data storage 524 may generate query plans to access the requesteddata from the database.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data fitted into predefinedcategories. A “table” is one representation of a data object, and may beused herein to simplify the conceptual description of objects and customobjects. It should be understood that “table” and “object” may be usedinterchangeably herein. Each table generally contains one or more datacategories logically arranged as columns or fields in a viewable schema.Each row or record of a table contains an instance of data for eachcategory defined by the fields. For example, a CRM database may includea table that describes a customer with fields for basic contactinformation such as name, address, phone number, fax number, etc.Another table might describe a purchase order, including fields forinformation such as customer, product, sale price, date, etc. In somemulti-tenant database systems, standard entity tables might be providedfor use by all tenants. For CRM database applications, such standardentities might include tables for Account, Contact, Lead, andOpportunity data, each containing pre-defined fields. It should beunderstood that the word “entity” may also be used interchangeablyherein with “object” and “table”.

In some multi-tenant database systems, tenants may be allowed to createand store custom objects, or they may be allowed to customize standardentities or objects, for example by creating custom fields for standardobjects, including custom index fields. U.S. patent application Ser. No.10/817,161, filed Apr. 2, 2004, entitled “Custom Entities and Fields ina Multi-Tenant Database System”, and which is hereby incorporated hereinby reference, teaches systems and methods for creating custom objects aswell as customizing standard objects in a multi-tenant database system.In certain embodiments, for example, all custom entity data rows arestored in a single multi-tenant physical table, which may containmultiple logical tables per organization. It is transparent to customersthat their multiple “tables” are in fact stored in one large table orthat their data may be stored in the same table as the data of othercustomers.

While one or more implementations have been described by way of exampleand in terms of the specific embodiments, it is to be understood thatone or more implementations are not limited to the disclosedembodiments. To the contrary, it is intended to cover variousmodifications and similar arrangements as would be apparent to thoseskilled in the art. Therefore, the scope of the appended claims shouldbe accorded the broadest interpretation so as to encompass all suchmodifications and similar arrangements.

1. A computer program product, comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code adapted to be executed to implement a method for portal user data access in a multi-tenant on-demand database system, the method comprising: storing a user object associated with a user having access to a multi-tenant on-demand database system via a portal associated with the multi-tenant on-demand database system; referencing the user object in at least one data object of the multi-tenant on-demand database system; and providing access to the data object of the multi-tenant on-demand database system, based on the reference, utilizing a processor.
 2. The computer program product of claim 1, wherein the portal includes a web interface specific to a tenant of the multi-tenant on-demand database system.
 3. The computer program product of claim 2, wherein the user indirectly accesses the multi-tenant on-demand database system via the web interface.
 4. The computer program product of claim 2, wherein the tenant includes at least one internal user object for use by an internal user in directly accessing the multi-tenant on-demand database system.
 5. The computer program product of claim 1, wherein the user object is stored by the multi-tenant on-demand database system.
 6. The computer program product of claim 1, wherein the user object stores a unique identifier.
 7. The computer program product of claim 7, wherein the user object is referenced by the data object by storing the unique identifier of the user object in the data object.
 8. The computer program product of claim 1, further comprising storing a unique identifier of a contact object in the user object for relating the user object with the contact object.
 9. The computer program product of claim 8, wherein the user object is referenced by the data object by storing the unique identifier of the contact object in the data object.
 10. The computer program product of claim 8, further comprising storing a unique identifier of an account object in the contact object for relating the contact object with the account object.
 11. The computer program product of claim 10, wherein the user object is referenced by the data object by storing the unique identifier of the account object in the data object.
 12. The computer program product of claim 1, wherein the data object stores data that is at least potentially accessible to the user.
 13. The computer program product of claim 1, wherein the data object is owned by a tenant of the multi-tenant on-demand database system.
 14. The computer program product of claim 1, wherein the access includes reading the data object.
 15. The computer program product of claim 1, further comprising storing another data object owned by the user.
 16. The computer program product of claim 15, further comprising granting a tenant of the multi-tenant on-demand database system access to the other data object owned by the user.
 17. The computer program product of claim 16, wherein the access is granted via a reference stored in the other data object to a system group associated with the tenant.
 18. The computer program product of claim 17, wherein a type of the access granted to the tenant is based on a determination of whether the tenant owns the portal.
 19. A method, comprising: storing a user object associated with a user having access to a multi-tenant on-demand database system via a portal associated with the multi-tenant on-demand database system; referencing the user object in at least one data object of the multi-tenant on-demand database system; and providing access to the data object of the multi-tenant on-demand database system, based on the reference.
 20. An apparatus, comprising: a processor for: storing a user object associated with a user having access to a multi-tenant on-demand database system via a portal associated with the multi-tenant on-demand database system; referencing the user object in at least one data object of the multi-tenant on-demand database system; and providing access to the data object of the multi-tenant on-demand database system, based on the reference.
 21. A method for transmitting code, comprising: transmitting code to store a user object associated with a user having access to a multi-tenant on-demand database system via a portal associated with the multi-tenant on-demand database system; transmitting code to reference the user object in at least one data object of the multi-tenant on-demand database system; and transmitting code to provide access to the data object of the multi-tenant on-demand database system, based on the reference. 